🔗 ROP Chain Calculator

Precise x86 instruction size analysis for exploit development

Created by Mohammad Hussam Alzeyyat | The Science of Hacking

🚧 Roadmap & Upcoming Features

🎯 Coming Soon

🔥 Full x64 Support - Complete 64-bit instruction database with REX prefixes
💪 ARM Architecture - ARMv7/ARMv8 instruction analysis for mobile/embedded exploitation
🌐 MIPS Support - Router and embedded device instruction sizing
⚡ RISC-V Support - Next-generation IoT and embedded systems

🎯 What is this?

A web-based calculator that provides exact instruction sizes for x86 assembly instructions, designed specifically for exploit developers working with ROP (Return-Oriented Programming) chains.

🔍 Why Precision Matters

In exploit development, every byte counts:

Buffer overflow constraints require exact payload sizes
Shellcode optimization needs minimal instruction footprints
ROP chain construction demands precise stack calculations
Badchar avoidance relies on accurate size estimations

🚀 Features

📊 Single Gadget Analysis

Calculate individual instruction sizes with real x86 encoding precision:

mov eax, 0        ; 5 bytes (B8 00 00 00 00)
xor eax, eax      ; 2 bytes (31 C0) - Better!
pop eax           ; 1 byte  (58)
        

🔗 ROP Chain Analysis

Analyze complete chains with automatic gadget grouping:

pop eax ; ret           ; 2 bytes (offset: +0)
neg eax ; ret           ; 2 bytes (offset: +2)
xchg eax, ebp ; ret     ; 2 bytes (offset: +4)
        

🎯 Accurate Encoding Database

1000+ instruction patterns with exact byte sizes
Real x86 opcode mappings (not conservative estimates)
ModR/M byte calculations for memory operations
Immediate value handling for different data sizes

🎮 Usage Examples

Basic Instruction Analysis

# Input
pop eax ; ret

# Output
Instructions Analysis: pop eax ; ret (2 bytes)
Total Instruction Size: 2 bytes
        

Complex ROP Chain

# Input
pop eax ; ret
neg eax ; ret
mov eax, [eax] ; ret
add eax, ebp ; ret

# Output
Gadget #1: pop eax ; ret (2 bytes, offset: +0)
Gadget #2: neg eax ; ret (2 bytes, offset: +2)
Gadget #3: mov eax, [eax] ; ret (3 bytes, offset: +4)
Gadget #4: add eax, ebp ; ret (3 bytes, offset: +7)
Total Size: 10 bytes
        

🛠️ Technical Details

Supported Architectures

✅ x86 (32-bit) - Complete instruction database
✅ x64 (64-bit) - Core instruction support

Instruction Categories

Single-byte: ret, nop, push eax, pop eax, inc eax, etc.
Two-byte: Register operations, memory moves, arithmetic
Multi-byte: Immediate values, displacement addressing
Special: retn 0x04, conditional jumps, calls

Encoding Accuracy

Based on Intel x86 instruction encoding format:

[Prefixes] [Opcode] [ModR/M] [SIB] [Displacement] [Immediate]

🎓 Educational Use

Perfect for:

🎯 OSED Certification prep (EXP-301)
🛡️ Exploit Development training
🔬 Security Research and analysis
📚 Assembly Programming education
🧩 Reverse Engineering practice

🤝 Reporting Issues

Please include:

The exact instruction that's wrong
Expected vs actual size
Reference documentation (Intel manual page)
Contact me: LinkedIn Profile